Electronic control unit, electronic control system, and recording medium

ABSTRACT

An electronic control unit that is capable of more accurately determining an event that has occurred in a network installed in a mobile body such as a vehicle, the electronic control unit including: a transmitter-receiver that receives first messages transmitted from a first ECU included in an in-vehicle network; and an attack determiner that, when a first message among the first messages received by the transmitter-receiver is determined to have an anomaly, determines whether a cause of the anomaly is an attack on the in-vehicle network.

CROSS REFERENCE TO RELATED APPLICATIONS

This is a continuation application of PCT International Application No.PCT/JP2019/049617 filed on Dec. 18, 2019, designating the United Statesof America, which is based on and claims priority of Japanese PatentApplication No. 2018-247448 filed on Dec. 28, 2018.

FIELD

The present disclosure relates to an electronic control unit, anelectronic control system, and a recording medium that performprocessing on an anomalous message.

BACKGROUND

Conventionally proposed is a network device for detecting and providingprotection against an attack that introduces unauthorized data into anetwork system, such as an in-vehicle network, to cause a vehicle tomalfunction (see Patent Literature (PTL) 1).

When this network device receives first data having the same identifieras reference received data, and a reception interval between thereceived data and the first data is shorter than a predetermined period,the network device determines whether an anomaly has occurred. In thisdetermination, when the network device receives second data having thesame identifier as the first data before the elapse of the predeterminedperiod from a reception time of the reference received data, the networkdevice determines that the anomaly has occurred.

CITATION LIST Patent Literature

PTL 1: Japanese Unexamined Patent Application Publication No.2014-146868

SUMMARY

However, the network device according to PTL 1 can be improved upon.

In view of this, the present disclosure provides an electronic controlunit capable of improving upon the above related art.

An electronic control unit according to one aspect of the presentdisclosure includes: a receiver that receives first messages transmittedfrom a first device included in a network installed in a mobile body;and a determiner that, when a first message among the first messagesreceived by the receiver is determined to have an anomaly, determineswhether a cause of the anomaly is an attack on the network, and outputsa result of the determination.

It should be noted that these general or specific aspects may beimplemented using a system, a method, an integrated circuit, a computerprogram, or a computer-readable recording medium such as CD-ROM, or maybe implemented using any combination of systems, methods, integratedcircuits, computer programs, or recording media.

An electronic control unit of the present disclosure is capable ofimproving upon the above related art.

BRIEF DESCRIPTION OF DRAWINGS

These and other advantages and features of the present disclosure willbecome apparent from the following description thereof taken inconjunction with the accompanying drawings that illustrate a specificembodiment of the present disclosure.

FIG. 1 is a diagram showing an exemplary configuration of acommunication system including an in-vehicle network in an embodiment.

FIG. 2 is a block diagram showing an exemplary configuration of anattack detection device in the embodiment.

FIG. 3 is a diagram showing causes of an anomaly and characteristics ofthe causes.

FIG. 4 is a flow chart showing an example of an overall processingoperation by the attack detection device in the embodiment.

FIG. 5 is a flow chart showing a specific example of a processingoperation by an attack determiner in the embodiment.

FIG. 6 is a flow chart showing another specific example of theprocessing operation by the attack determiner in the embodiment.

FIG. 7 is a flow chart showing another example of the overall processingoperation by the attack detection device in the embodiment.

DESCRIPTION OF EMBODIMENT

(Underlying Knowledge Forming the Basis of the Present Disclosure)

In recent years, more and more vehicles are connected to the Internet toobtain traffic congestion information, traffic information, etc.However, there is a possibility that such vehicles are cyberattacked. Insuch a cyberattack, an attacker accesses an in-vehicle network by, forexample, connecting an unauthorized device to the in-vehicle network,and transmits an unauthorized message to the in-vehicle network, therebyperforming unauthorized rewriting of firmware of an ECU of thein-vehicle network or unauthorized control of various actuators in avehicle via the ECU, etc. Generally, the following three functions arerequired to prepare for such a cyberattack (hereinafter referred to asan attack). The first function is a function of providing protectionagainst a known attack. The second function is a function of detectingan attack or a symptom of the attack. The third function is a functionof updating the first function and the second function. Here, in orderto detect and provide protection against a new attack, that is, in orderto achieve the third function, it is necessary to analyze how the newattack is carried out using what route or method.

However, when, for example, a server monitors many vehicles and analyzesanomalies of these vehicles, many notifications about the anomalies areexpected to be transmitted to the server. As a result, there is apossibility that a communication network (e.g., the Internet) connectingthe server and the vehicles is flooded. In view of the above, it isdesirable that only notifications about attacks be transmittedexhaustively from the vehicles to the server.

Although the network device according to PTL 1 detects an anomaly todetect and protect against a fraud, the network device does notdetermine whether a cause of the detected anomaly is an attack. To putit another way, a cause of an anomaly is assumed to be only an attack.As stated above, in a conventionally proposed anomaly detection methodfor a network in a vehicle, a cause of an anomaly is not classified intoan attack or a breakdown that is not an attack.

For example, when a cause of an anomaly is a breakdown, it is necessaryto identify a component determined to have an anomaly, and replace thecomponent. Moreover, when a cause of an anomaly is an attack, it isnecessary to identify a route and a method used by the attack, andconsider preparing for the attack. Here, when a cause of an anomaly iswrongly determined to be an attack regardless of the cause of theanomaly being a breakdown, such a determination makes it difficult toidentify a route and a method used by the attack; and even if the routeand the method are identified, it is impossible to address the anomaly.Furthermore, when a cause of an anomaly is wrongly determined to be abreakdown regardless of the cause of the anomaly being an attack, theremay arise a problem that the same anomaly occurs even when a componentis replaced.

As stated above, the network device according to PTL 1 does notsufficiently determine an event that has occurred in the in-vehiclenetwork.

In view of this, the present disclosure provides, for example, anelectronic control unit capable of more accurately determining an eventthat has occurred in a network installed in a mobile body such as avehicle.

An electronic control unit according to one aspect of the presentdisclosure includes: a receiver that receives first messages transmittedfrom a first device included in a network installed in a mobile body;and a determiner that, when a first message among the first messagesreceived by the receiver is determined to have an anomaly, determineswhether a cause of the anomaly is an attack on the network, and outputsa result of the determination.

With this configuration, since, when the first message is determined tohave the anomaly, the cause of the anomaly that the first message hasbeen determined to have is the attack, it is possible to more accuratelydetermine an event that has occurred in the network. To put it anotherway, it is possible to determine whether the cause of the anomaly is anattack or a cause other than the attack such as a breakdown or bug. As aresult, it is possible to take appropriate measures to the anomaly.Specifically, when the cause of the anomaly is a breakdown, it ispossible to address the anomaly appropriately by replacing a broken-downcomponent. In addition, when the cause of the anomaly is an attack, itis possible to address the anomaly appropriately by identifying a routeand a method used by the attack and taking measures to the route and themethod.

Moreover, when the determiner determines that the cause of the anomalyis not the attack, the determiner may further output informationindicating a possibility of a breakdown of the first device. With thisconfiguration, since the information indicating the possibility of thebreakdown is outputted when the cause of the anomaly is not the attack,it is possible to address the anomaly appropriately by, for example,replacing a broken-down component.

Moreover, the determiner may determine whether a first data amount ofthe first messages transmitted per unit of time has increased from asecond data amount of normal first messages transmitted per unit oftime, and when the determiner determines that the first data amount hasincreased from the second data amount, the determiner may determine thatthe cause of the anomaly is the attack.

With this configuration, since it is determined whether an attackcharacteristic that adds an anomalous message to a normal message hasappeared, it is possible to determine such an attack as the cause of theanomaly appropriately.

Moreover, the determiner may determine whether the first messagesinclude an anomalous first message and a normal first message, and whenthe determiner may determine that the first messages include theanomalous first message and the normal first message, the determinerdetermines that the cause of the anomaly is the attack.

With this configuration, since it is determined whether an attackcharacteristic that adds an anomalous message to a normal message hasappeared, it is possible to determine such an attack as the cause of theanomaly appropriately.

Moreover, the determiner may determine whether a second message that isdetermined to have an anomaly has been transmitted from a second deviceincluded in the network in a same time period with the first messagedetermined to have the anomaly, and when the determiner determines thatthe second message has been transmitted, the determiner may determinethat a cause of the anomaly is the attack, the second message beingrelated to the first message determined to have the anomaly.

With this configuration, since it is determined whether an attackcharacteristic has appeared, it is possible to determine the attack asthe cause of the anomaly appropriately.

Moreover, the determiner may determine whether a third message has beentransmitted to the network when the mobile body is moving, and when thedeterminer determines that the third message has been transmitted, thedeterminer may determine that the cause of the anomaly is the attack,the third message being transmitted from outside the mobile body to thenetwork when the mobile body is not moving. Alternatively, thedeterminer may determine whether the first message determined to havethe anomaly has been transmitted when transmission of a first message isstopped by a diagnostic packet, and when the determiner determines thatthe first message determined to have the anomaly has been transmitted,the determiner may determine that the cause of the anomaly is theattack.

With this configuration, since it is determined whether an attackcharacteristic that replaces a normal message with an anomalous messagehas appeared, it is possible to determine such an attack as the cause ofthe anomaly appropriately.

Moreover, the determiner may determine whether at least onecharacteristic that appears due to an attack has appeared in the networkwithin a predetermined time period, and when the determiner determinesthat the at least one characteristic has appeared, the determiner maydetermine that the cause of the anomaly is the attack.

With this configuration, it is possible to more accurately determine theattack as the cause of the anomaly.

Moreover, when the determine determines that the cause of the anomaly isthe attack, the determiner may identify a type of the attack. Forexample, when the determiner determines that a first data amount of thefirst messages transmitted per unit of time has increased from a seconddata amount of normal first messages transmitted per unit of time, thedeterminer may identify, as the type of the attack, an additional attackthat adds an anomalous message to a normal message. Furthermore, whenthe determiner determines that the first messages include an anomalousfirst message and a normal first message, the determiner may identify,as the type of the attack, an additional attack that adds an anomalousmessage to a normal message. In addition, when the determiner determinesthat a second message has been transmitted to the network when themobile body is moving, the determiner may identify, as the type of theattack, a replacement attack that replaces a normal message with ananomalous message, the second message being transmitted from outside themobile body to the network when the mobile body is not moving.Alternatively, when the determiner determines that a first messagedetermined to have the anomaly has been transmitted when transmission ofthe first message is stopped by a diagnostic packet, the determiner mayidentify, as the type of the attack, a replacement attack that replacesa normal message with an anomalous message.

With this configuration, it is possible to more accurately determine anattack determined as an event that has occurred in the network.

An electronic control system according to one aspect of the presentdisclosure includes: an anomaly determining device including a receiverthat receives messages transmitted from a device included in a networkinstalled in a mobile body, and an anomaly determiner that determineswhether the messages received by the receiver are anomalies; and anattack determining device that, when the anomaly determiner determinesthat a message among the messages received by the receiver has ananomaly, determines whether a cause of the anomaly is an attack on thenetwork, and outputs a result of the determination.

With this configuration, since, when the message is determined to havethe anomaly, the cause of the anomaly that the message has beendetermined to have is the attack, it is possible to more accuratelydetermine an event that has occurred in the network. To put it anotherway, it is possible to determine whether the cause of the anomaly is anattack or a cause other than the attack such as a breakdown or bug. As aresult, it is possible to take appropriate measures to the anomaly.Specifically, when the cause of the anomaly is a breakdown, it ispossible to address the anomaly appropriately by replacing a broken-downcomponent. In addition, when the cause of the anomaly is an attack, itis possible to address the anomaly appropriately by identifying a routeand a method used by the attack and taking measures to the route and themethod.

It should be noted that these general or specific aspects may beimplemented using a system, a method, an integrated circuit, a computerprogram, or a computer-readable recording medium such as CD-ROM, or maybe implemented using any combination of systems, methods, integratedcircuits, computer programs, or recording media.

Hereinafter, an embodiment will be described in detail with reference tothe drawings.

It should be noted that the embodiment described below represents ageneric or specific example. The numerical values, shapes, materials,structural components, the arrangement and connection of the structuralcomponents, steps, and the order of the steps, etc. shown in thefollowing embodiment are mere examples, and are not intended to limitthe scope of the present disclosure. Moreover, among the structuralcomponents of the following embodiment, those not recited in any one ofthe independent claims that indicate the broadest concepts of thepresent disclosure are described optional structural components.Furthermore, the figures are schematic diagrams and are not necessarilyprecise illustrations. In addition, identical structural components aregiven the same reference signs in the figures.

[Embodiment]

FIG. 1 is a diagram showing an exemplary configuration of acommunication system including an in-vehicle network in an embodiment.

This communication system includes in-vehicle network 100, server 200,and diagnostic device 300.

In-vehicle network 100 is installed in vehicle 1 such as an automobileand controls, for example, the traveling of vehicle 1. Such in-vehiclenetwork 100 is a network system including electronic control units(ECUs) connected to each other via a bus (i.e., a network bus). The ECUscommunicate with each other in accordance with a controller area network(CAN) protocol specified by ISO 11898. To put it another way, each ofthe ECUs transmits and receives CAN frames. Types of a frame include,for example, a data frame, a remote frame, an overload frame, and anerror frame. Among these types, a data frame is hereinafter referred toas a message (or a CAN message).

Server 200 communicates with in-vehicle network 100 via a communicationnetwork outside vehicle 1, such as the Internet. For example, server 200collects, as a log, information transmitted from in-vehicle network 100,and analyzes the log.

Diagnostic device 300 is used to diagnose in-vehicle network 100.Specifically, diagnostic device 300 diagnoses in-vehicle network 100when vehicle 1 is standing. At this time, diagnostic device 300transmits into in-vehicle network 100, as a diagnostic message, adiagnostic packet for stopping processing of each ECU etc. included inin-vehicle network 100. Instead of the stopped ECU, diagnostic device300 transmits a message into in-vehicle network 100 and monitors theprocessing of the ECU relative to the message, thereby diagnosingin-vehicle network 100.

In an example shown by FIG. 1 , in-vehicle network 100 includes firstECU 110, second ECU 120, and communication ECU 130 as ECUs connected toeach other via a bus, and further includes attack detection device 140.It should be noted that although in-vehicle network 100 includes thethree ECUs in the example shown by FIG. 1 , the number of ECUs is notlimited to three and may be two or at least four.

Each of first ECU 110 and second ECU 120 is a device for performingcontrol of vehicle 1 such as acceleration, braking, or steering, etc ofvehicle 1.

Communication ECU 130 communicates with, for example, server 200 via acommunication network outside vehicle 1. For this reason, each ECU otherthan communication ECU 130 and attack detection device 140 included inin-vehicle network 100 are capable of communicating with server 200 viacommunication ECU 130.

It should be noted that each of ECUs (i.e., first ECU 110, second ECU120, communication ECU 130) is, for example, a device including, ashardware, a digital circuit such as a processor (i.e., a microprosessor)and memory, an analog circuit, or a communication circuit, etc. Thememory is read-only memory (ROM) or random-access memory (RAM), etc.,and is capable of storing a program (i.e., software or a computerprogram) executed by the processor. Each ECU implements variousfunctions for controlling vehicle 1 and the like by, for example, theprocessor operating in accordance with the program. The program isconfigured with a combination of operation codes indicating instructionsto the processor, so as to implement a predetermined function.

Attack detection device 140 is a device that detects an attack onin-vehicle network 100 or vehicle 1 including in-vehicle network 100,and is also referred to as an electronic control system. Moreover,attack detection device 140 may be configured as an ECU, and whenin-vehicle network 100 includes a gateway, the gateway may includeattack detection device 140. It should be noted that although attackdetection device 140 is included in in-vehicle network 100 in thepresent embodiment, attack detection device 140 may be included inserver 200.

Attack detection device 140 in the present embodiment receives a messagethat passes through the bus of in-vehicle network 100 and determineswhether the message has an anomaly. Moreover, when attack detectiondevice 140 determines that the message has the anomaly, attack detectiondevice 140 further determines whether a cause of the anomaly is anattack on in-vehicle network 100.

FIG. 2 is a block diagram showing an exemplary configuration of attackdetection device 140 in the present embodiment.

Attack detection device 140 includes anomaly determiner 141, attackdeterminer 142, and transmitter-receiver 143.

Transmitter-receiver 143 receives a message transmitted from each offirst ECU 110, second ECU 120, and communication ECU 130 via the bus.Moreover, transmitter-receiver 143 transmits via the bus informationbased on a processing result of each of anomaly determiner 141 andattack determiner 142. This information may be transmitted, for example,to server 200 via communication ECU 130 and the communication network.

Anomaly determiner 141 determines whether a message received bytransmitter-receiver 143 has an anomaly.

Attack determiner 142 determines whether a cause of the anomaly that themessage has been determined to have by anomaly determiner 141 is anattack on in-vehicle network 100. For example, when attack determiner142 determines that the cause of the anomaly is the attack, attackdeterminer 142 notifies a user, server 200, or at least one of thedevices included in in-vehicle network 100 that the attack has takenplace.

For example, attack determiner 142 may notify the user of vehicle 1 thatan attack has taken place, by causing a display device of vehicle 1 todisplay a text message. Examples of such a text message include “Thereis a possibility that an attack has taken place, so please stop thevehicle and check the update of software.” Moreover, attack determiner142 may notify server 200 that an attack has taken place, bytransmitting a log of a message determined to have an anomaly due to theattack and a log of another message related to the message. Furthermore,attack determiner 142 may notify at least one of the devices included inin-vehicle network 100 that an attack has taken place, by transmittingto the at least one device via the bus a signal for limiting or reducingthe operation of vehicle 1. Consequently, the at least one deviceincluded in in-vehicle network 100 causes vehicle 1 to, for example,slow down gradually and stop at an available parking place.

When attack determiner 142 determines that the cause of the anomaly isnot an attack, attack determiner 142 may notify the user, server 200, orat least one of the devices included in in-vehicle network 100 that abreakdown has occurred. For example, the display device of vehicle 1notifies the user that a breakdown has occurred, by displaying a textmessage. Examples of such a text message include “There is a possibilitythat the vehicle has broken down, so please ask a car dealer to providevehicle maintenance.” In other words, in the present embodiment, whenattack determiner 142 determines that the cause of the anomaly is not anattack, attack determiner 142 may output information indicating apossibility that a device such as first ECU 110 or second ECU 120 hasbroken down. Consequently, since the information indicating thepossibility of the breakdown is outputted when the cause of the anomalyis not the attack, it is possible to address the anomaly appropriatelyby, for example, replacing a broken-down component.

Here, in the present embodiment, transmitter-receiver 143 and attackdeterminer 142 constitute an electronic control unit. In other words, asin the present embodiment, this electronic control unit may be includedtogether with anomaly determiner 141 in attack detection device 140, ormay be included in a device different from a device including anomalydeterminer 141. Moreover, anomaly determiner 141 may be included in oneof in-vehicle network 100 and server 200, and the electronic controlunit may be included in the other of in-vehicle network 100 and server200. In view of the above, in the present embodiment, even when theelectronic control unit and anomaly determiner 141 are included in onedevice or separately included in two mutually different devices, asystem comprising the electronic control unit and anomaly determiner 141is referred to as an electronic control system.

As stated above, the electronic control unit according to the presentembodiment includes: transmitter-receiver 143 that receives firstmessages from first ECU 110 included in in-vehicle network 100; andattack determiner 142 that, when a first message among the firstmessages received by transmitter-receiver 143 is determined to have ananomaly, determines whether a cause of the anomaly is an attack onin-vehicle network 100, and outputs a result of the determination. Itshould be noted that when, instead of a first message, a second messagetransmitted from second ECU 120 is determined to have an anomaly, attackdeterminer 142 may determine whether a cause of the anomaly that thesecond message has been determined to have is an attack on in-vehiclenetwork 100. In other words, a device that transmits a target message tobe determined may be first ECU 110, second ECU 120, or another deviceincluded in in-vehicle network 100. Moreover, in the above example, anoutput of an attack determination result is performed as a notificationto the user of vehicle 1, server 200, or at least one of the devicesincluded in in-vehicle network 100.

Accordingly, since, when a message is determined to have an anomaly, acause of the anomaly that the message has been determined to have is anattack, it is possible to more accurately determine an event that hasoccurred in in-vehicle network 100. To put it another way, it ispossible to determine whether the cause of the anomaly is an attack or acause other than the attack such as a breakdown or bug. As a result, itis possible to take appropriate measures to the anomaly. Specifically,when the cause of the anomaly is a breakdown, it is possible to addressthe anomaly appropriately by replacing a broken-down component.Moreover, when the cause of the anomaly is an attack, it is possible toaddress the anomaly appropriately by identifying a route and a methodused by the attack and taking measures to the route and the method.

FIG. 3 is a diagram showing causes of an anomaly and characteristics ofthe causes.

A cause of an anomaly is an attack or a cause other than the attack. Inaddition, an attack is of the following two types, for example. Thefirst type is an adding-type attack (hereinafter referred to as anadditional attack) that adds an anomalous first message to a normalmessage. In other words, the attack of the first type adds an anomalousmessage to a network through which a normal message is periodicallypassing. The second type is a replacing-type attack (hereinafterreferred to as a replacement attack) that replaces a normal message withan anomalous message. To put it another way, the attack of the secondtype stops a normal message from periodically passing through a network,and causes an anomalous message instead of the normal message toperiodically pass through the network. Examples of the cause other thanthe attack include a breakdown and a bug.

Here, the additional attack has three characteristics. The firstcharacteristics (hereinafter also referred to as attack characteristic1) is that a data amount increases. Since an anomalous message isfurther passed through a network when a normal message is periodicallypassing through the network, a data amount per unit of time increases.The second characteristic (hereinafter also referred to as attackcharacteristic 2) is that a normal message and an anomalous messagecoexist in the same time period. For example, a normal message and ananomalous message are transmitted alternately. The third characteristic(hereinafter also referred to as attack characteristic 4) is thatanomalies coincide in various types of mutually related messages. Whenan attack takes place, it is rare that only one type of an anomalousmessage occurs independently. In an attack intended to take unauthorizedcontrol of the steering wheel of vehicle 1, it is assumed that thetraveling speed of vehicle 1 is made look like a low speed and asteering indicating angle of the steering wheel is increased suddenly.In this case, anomalies coincide in data of a message for controlling asteering angle and data of a message for notifying a traveling speed. Asstated above, the third characteristic is that anomalies coincide invarious types of mutually related messages. It should be noted that atype of a message may be defined by an ID (specifically a CAN-ID)included in the message. In addition, types of mutually related messagesmay be predetermined.

The replacement attack has three characteristics. The firstcharacteristic (hereinafter also referred to as attack characteristic 3)is that the above-described diagnostic packet passes through a networkas a diagnostic message even though a vehicle is traveling. In otherwords, when a diagnostic packet passes through an in-vehicle network ofa traveling vehicle, there is a high possibility that the diagnosticpacket is an unauthorized packet, transmission of a normal message froman ECU is stopped in an unauthorized manner, and instead of the normalmessage, an unauthorized message is passed through the in-vehiclenetwork. The second characteristic (hereinafter also referred to asattack characteristic 3 a) is accompanied by attack characteristic 3 andis that even though transmission of a message is stopped by a diagnosticpacket in an unauthorized manner, the message is observed. It should benoted that although attack detection device 140 may use attackcharacteristic 3 in determining whether a cause of an anomaly is anattack in the following description, attack characteristic 3 may bereplaced with attack characteristic 3 a. Even when attack characteristic3 is replaced with attack characteristic 3 a, the same advantageouseffect can be produced as the case in which attack characteristic 3 isused. Moreover, attack characteristic 3 a may be used in addition toattack characteristic 3. The third characteristic is that anomaliescoincide in various types of mutually related messages, as with thethird attack characteristic of the additional attack. To put it anotherway, the third characteristic of the replacement attack is the same asthe third characteristic of the additional attack and is equivalent toattack characteristic 4.

In contrast, attack characteristics 1 to 4 and 3 a neither appear norbecome prominent in a cause other than an attack.

In light of the above, attack detection device 140 in the presentembodiment determines whether a cause of an anomaly is an attack, usingsuch attack characteristics.

FIG. 4 is a flow chart showing an example of an overall processingoperation by attack detection device 140.

Transmitter-receiver 143 of attack detection device 140 receives amessage that passes through a bus (step S110). Next anomaly determiner141 determines whether the message received by transmitter-receiver 143has an anomaly (step S120). For example, when a value indicated by atarget message to be determined or an amount of change of the value isgreater or less than a predetermined number, anomaly determiner 141determines that the target message has an anomaly. It should be notedthat the amount of change of the value indicated by the target messageis, for example, a difference between the value of the target messageand a value indicated by a message that is of the same type as thetarget message and is transmitted before the target message.Alternatively, anomaly determiner 141 may determine whether the targetmessage has an anomaly, based on a transmission cycle of a message thatis of the same type as the target message. For example, when thetransmission cycle is shorter or longer than a predetermined cycle,anomaly determiner 141 determines that the target message has theanomaly.

Then, when anomaly determiner 141 determines that the message has theanomaly (Yes in step S120), attack determiner 142 determines whether acause of the anomaly is an attack (step S130). For example, anomalydeterminer 141 determines whether a cause of an anomaly is an attack,based on attack characteristics 1 to 4 shown by FIG. 3 .

Here, when attack determiner 142 determines that the cause of theanomaly is the attack (Yes in step S130), attack determiner 142 notifiesa user, server 200, or at least one of the devices included inin-vehicle network 100 that the attack has taken place (step S140).

On the other hand, when attack determiner 142 determines that the causeof the anomaly is not the attack (No in step S130), attack determiner142 notifies the user, server 200, or at least one of the devicesincluded in in-vehicle network 100 that the anomaly has occurred (stepS150). At this time, attack determiner 142 may notify that the cause ofthe anomaly is not the attack, that is, a breakdown or a bug hasoccurred.

After that, transmitter-receiver 143 determines whether to end thereception of the message (step S160). For example, when endingconditions such as a case in which the power of in-vehicle network 100is turned off are satisfied, transmitter-receiver 143 ends the receptionof a message. In contrast, when the ending conditions are not satisfied,transmitter-receiver 143 repeatedly performs processing from step S110.

Here, as stated above, attack determiner 142 uses attack characteristics1 to 4 shown by FIG. 3 when attack determiner 142 determines whether acause of the anomaly is an attack in step S130.

For example, attack determiner 142 may use attack characteristic 1, thatis, an increase in data amount. Specifically, the message determined tohave the anomaly is a first message and is transmitted from, forexample, first ECU 110. Moreover, in in-vehicle network 100, each offirst messages including the first message determined to have theanomaly is transmitted sequentially via the bus. It should be noted thatthe first messages are of the same type, for example. In other words,the first messages have the same ID. At this time, attack determiner 142determines whether a first data amount of the first messages transmittedper unit of time has increased from a second data amount of normal firstmessages transmitted per unit of time. Then, when attack determiner 142determines that the first data amount has increased, attack determiner142 determines that a cause of the anomaly is an attack.

For example, attack determiner 142 adds up a data amount of each of atleast one first message received by transmitter-receiver 143 within aunit of time from when an anomalous first message is received bytransmitter-receiver 143. In this way, a first data amount iscalculated. It should be noted that this first data amount includes adata amount of the anomalous first message. Attack determiner 142compares the first data amount and a second data amount, and when thefirst data amount is greater than the second data amount, attackdeterminer 142 determines that the first data amount has increased. Thesecond data amount may be a predetermined data amount. In addition, theunit of time may be greater than or equal to a transmission cycle of anormal first message.

As stated above, in the present embodiment, since it is determinedwhether an attack characteristic that adds an anomalous message to anormal message has appeared, it is possible to determine such an attack,that is, the additional attack as the cause of the anomalyappropriately.

Moreover, attack determiner 142 may use attack characteristic 2, thatis, the coexistence of a normal message and an anomalous message as achange in data. Specifically, attack determiner 142 determines whetherthe above-mentioned first messages include an anomalous first messageand a normal first message, and when attack determiner 142 determinesthat the first messages include the anomalous first message and thenormal first message, attack determiner 142 determines that the cause ofthe anomaly is an attack.

For example, attack determiner 142 determines whether an anomalous firstmessage has been received by transmitter-receiver 143 within apredetermined period from when a normal first message is received bytransmitter-receiver 143. At this time, when the anomalous first messageis received by transmitter-receiver 143, attack determiner 142determines that first messages include the anomalous first message andthe normal first message; and when the anomalous first message is notreceived by transmitter-receiver 143, attack determiner 142 determinesthat the first messages do not include the anomalous first message. Itshould be noted that the predetermined period may be greater than orequal to a transmission cycle of the normal first message.

As stated above, in the present embodiment, since it is determinedwhether an attack characteristic that adds an anomalous message to anormal message has appeared, it is possible to determine such an attack,that is, the additional attack as the cause of the anomalyappropriately.

Moreover, attack determiner 142 may use attack characteristic 3, thatis, the observation of a diagnostic packet. It should be noted that theobservation of the diagnostic packet means that a diagnostic packet isobserved as a diagnostic message when vehicle 1 is traveling.Specifically, attack determiner 142 determines whether a third messagehas been transmitted to in-vehicle network 100 when vehicle 1 istraveling, the third message being the above-mentioned diagnosticmessage transmitted to in-vehicle network 100 from outside vehicle 1when vehicle 1 is not traveling. When attack determiner 142 determinesthat the third message has been transmitted when vehicle 1 is traveling,attack determiner 142 determines that the cause of the anomaly is anattack.

For example, attack determiner 142 obtains information about a travelingspeed of vehicle 1 from a device of vehicle 1, and determines whethervehicle 1 is traveling, based on the information. In the case where athird message is received by transmitter-receiver 143 when attackdeterminer 142 determines that vehicle 1 is traveling, based on theinformation, attack determiner 142 determines that the cause of theanomaly is an attack.

Moreover, attack determiner 142 may use attack characteristic 3 a.Specifically, when transmission of a first message is stopped by adiagnostic packet, attack determiner 142 determines whether a firstmessage determined to have an anomaly has been transmitted; and whenattack determiner 142 determines that the first message determined tohave the anomaly has been transmitted, attack determiner 142 determinesthat the cause of the anomaly is an attack.

As stated above, in the present embodiment, since it is determinedwhether an attack characteristic that replaces a normal message with ananomalous message has appeared, it is possible to determine such anattack, that is, the replacement attack as the cause of the anomalyappropriately.

Moreover, attack determiner 142 may use attack characteristic 4, thatis, coincidence. It should be noted that the coincidence means thatanomalies coincide in various types of mutually related messages (ordata). Specifically, attack determiner 142 determines whether a secondmessage determined to have an anomaly has been transmitted by second ECU120 included in in-vehicle network 100 in the same time period with afirst message determined to have an anomaly, the second message beingrelated to the first message. When attack determiner 142 determines thatthe second message determined to have the anomaly has been transmitted,attack determiner 142 determines that the cause of the anomaly is anattack.

For example, a second message is received by transmitter-receiver 143within a predetermined time from when an anomalous first message isreceived by transmitter-receiver 143. When respective IDs of the firstmessage and the second message are mutually associated with each otherin a table held in advance, attack determiner 142 determines that thesecond message is related to the first message. When the second messageis determined to have an anomaly by anomaly determiner 141, attackdeterminer 142 determines that the cause of the anomaly is an attack.

As stated above, in the present embodiment, since it is determinedwhether an attack characteristic has appeared, it is possible todetermine the attack as the cause of the anomaly appropriately.

Here, attack determiner 142 may identify a type of the attack using anytwo of attack characteristics 1 to 4 shown by FIG. 3 , and may give anotification in accordance with those types.

FIG. 5 is a flow chart showing a specific example of a processingoperation by attack determiner 142.

For example, in step S130, attack determiner 142 determines whetherattack characteristic 1 has appeared, that is, a data amount hasincreased (step S131). Here, when attack determiner 142 determines thatthe data amount has increased (Yes in step S131), attack determiner 142determines that the cause of the anomaly is an attack, and identifies atype of the attack as an additional attack. As a result, in step S140,attack determiner 142 notifies the user, server 200, or at least one ofthe devices included in in-vehicle network 100 of the additional attack(step S141).

On the other hand, when attack determiner 142 determines that the dataamount has not increased (No in step S131), attack determiner 142determines whether attack characteristic 3 has appeared, that is, adiagnostic packet has been observed (step S132). Here, when attackdeterminer 142 determines that the diagnostic packet has been observed(Yes in step S132), attack determiner 142 determines that the cause ofthe anomaly is an attack, and identifies a type of the attack as areplacement attack. As a result, in step S140, attack determiner 142notifies the user, server 200, or at least one of the devices includedin in-vehicle network 100 of the replacement attack (step S142).

FIG. 6 is a flow chart showing another specific example of theprocessing operation by attack determiner 142.

For example, in step S130, attack determiner 142 determines whetherattack characteristic 2 has appeared, that is, the coexistence of anormal message and an anomalous message has occurred as a change in data(step S133). Here, when attack determiner 142 determines that thecoexistence has occurred (Yes in step S133), attack determiner 142determines that the cause of the anomaly is an attack, and identifies atype of the attack as an additional attack. As a result, in step S140,attack determiner 142 notifies the user, server 200, or at least one ofthe devices included in in-vehicle network 100 of the additional attack(step S141).

On the other hand, when attack determiner 142 determines that thecoexistence has not occurred (No in step S133), attack determiner 142determines whether attack characteristic 3 has appeared, that is, adiagnostic packet has been observed (step S132). Here, when attackdeterminer 142 determines that the diagnostic packet has been observed(Yes in step S132), attack determiner 142 determines that the cause ofthe anomaly is an attack, and identifies a type of the attack as areplacement attack. As a result, in step S140, attack determiner 142notifies the user, server 200, or at least one of the devices includedin in-vehicle network 100 of the replacement attack (step S142).

FIG. 7 is a flow chart showing another example of the overall processingoperation by attack detection device 140. It should be noted that amongthe steps shown by the flow chart of FIG. 7 , those that are the same asthe steps shown by the flow chart of FIG. 4 are assigned the samereference signs as FIG. 4 , and a detailed description thereof isomitted.

Attack determiner 142 may determine whether a cause of an anomaly is anattack, and when attack determiner 142 determines that the cause of theanomaly is the attack, attack determiner 142 may further identify a typeof the attack.

For example, when transmitter-receiver 143 receives a message andanomaly determiner 141 determines that the message has an anomaly,attack determiner 142 of attack detection device 140 determines whethera characteristic common to the additional attack and the replacementattack has appeared (step S130 a). In other words, as shown by FIG. 7 ,attack determiner 142 determines whether attack characteristic 4 hasappeared, that is, mutually related anomalous messages have coincided,as a specific process in step S130 shown by FIG. 4 (step S130 a). Here,when attack determiner 142 determines that the mutually relatedanomalous messages have coincided (Yes in step S130 a), attackdeterminer 142 determines that the cause of the anomaly is an attack,and further identifies a type of the attack (step S170). To put itanother way, attack determiner 142 detects which of attackcharacteristics 1 to 3 has appeared, and identifies, as the type of theattack, a type according to the characteristic that has appeared. Forexample, when attack determiner 142 detects the appearance of one ofattack characteristics 1 and 2, attack determiner 142 identifies theadditional attack according to the one attack characteristic as the typeof the attack. Alternatively, when attack determiner 142 detects theappearance of attack characteristic 3, attack determiner 142 identifiesthe replacement attack according to attack characteristic 3 as the typeof the attack.

More specifically, in in-vehicle network 100, each of first messagesincluding a first message determined to have an anomaly has beentransmitted sequentially, and a first data amount of the first messagestransmitted per unit of time has increased from a second data amount ofnormal first messages transmitted per unit of time. In such a case, inthe identification of a type of an attack in step S170, attackdeterminer 142 identifies, as the type of the attack, the additionalattack that adds an anomalous message to a normal message. In otherwords, when attack determiner 142 determines that the first data amountof the first messages transmitted per unit of time has increased fromthe second data amount of the normal first messages transmitted per unitof time, attack determiner 142 identifies, as the type of the attack,the additional attack that adds the anomalous message to the normalmessage.

Moreover, in in-vehicle network 100, each of the first messagesincluding the first message determined to have the anomaly has beentransmitted sequentially, and the first messages include an anomalousfirst message and a normal first message. In such a case, in theidentification of a type of an attack in step S170, attack determiner142 identifies, as the type of the attack, the additional attack thatadds an anomalous message to a normal message. In other words, whenattack determiner 142 determines that the first messages include theanomalous first message and the normal first message, attack determiner142 identifies, as the type of the attack, the additional attack thatadds the anomalous message to the normal message.

Alternatively, a third message that is transmitted from outside vehicle1 to in-vehicle network 100 when vehicle 1 is not traveling has beentransmitted to in-vehicle network 100 when vehicle 1 is traveling. Insuch a case, in the identification of a type of an attack in step S170,attack determiner 142 identifies, as the type of the attack, thereplacement attack that replaces a normal message with an anomalousmessage. In other words, when attack determiner 142 determines that athird message that is transmitted from outside vehicle 1 to in-vehiclenetwork 100 when vehicle 1 is not traveling has been transmitted toin-vehicle network 100 when vehicle 1 is traveling, attack determiner142 identifies, as the type of the attack, the replacement attack thatreplaces the normal message with the anomalous message. Alternatively,when attack determiner 142 determines that a first message determined tohave the anomaly has been transmitted when transmission of a firstmessage is stopped by a diagnostic packet, attack determiner 142identifies, as the type of the attack, the replacement attack thatreplaces the normal message with the anomalous message.

Accordingly, it is possible to more accurately determine an attackdetermined as an event that has occurred in a network.

As stated above, the electronic control unit and the electronic controlsystem in the present embodiment make it possible to more accuratelydetermine an event that has occurred in in-vehicle network 100.

[Variations]

Although the electronic control unit according to one or more aspectshave been described above based on the foregoing embodiment, the presentdisclosure is not limited to the foregoing embodiment. Variousmodifications to the present embodiment that can be conceived by aperson with an ordinary skill in the art or those forms obtained bycombining elements in different embodiments may be included in the scopeof the one or more aspects, as long as the modifications and forms donot depart from the essence of the present disclosure.

For example, in the foregoing embodiment, attack determiner 142determines whether any one or two of attack characteristics 1 to 4 shownby FIG. 3 have appeared, and determines whether a cause of the anomalyis an attack, based on a result of the determination. However, when atleast three of above-described attack characteristics 1 to 4 appear inthe same time period, attack determiner 142 may determine that a causeof the anomaly is an attack. In other words, attack determiner 142determines whether at least one characteristic caused to appear by anattack has appeared in in-vehicle network 100 within a predeterminedtime, and when attack determiner 142 determines that the at least onecharacteristic has appeared, attack determiner 142 determines that acause of the anomaly is an attack. The at least one characteristic maybe one of attack characteristics 1 to 4. In addition, when the samecharacteristic appears multiple times within the above-described time,attack determiner 142 may determine that a cause of the anomaly is anattack.

Moreover, although attack determiner 142 determines that the cause ofthe anomaly is the replacement attack, based on attack characteristic 3in the foregoing embodiment, attack determiner 142 may determine thatthe cause of the anomaly is the replacement attack, based on anothercharacteristic. For example, as shown by FIG. 3 , in the case of thereplacement attack, data (i.e., a value) included in a messagecyclically transmitted change steeply. Accordingly, attack determiner142 may determine that the cause of the anomaly is the replacementattack, based on such a characteristic.

It should be noted that, in the foregoing embodiment, the respectiveelements may be configured using dedicated hardware or may be realizedby executing a software program suitable for the respective elements.Each of the elements may be implemented by a program executer, such as aCPU or a processor, reading and executing a software program recorded ona recording medium, such as a hard disk or a semiconductor memory. Here,software that implements, for example, the electronic control unit orthe electronic control system in the foregoing embodiment causes acomputer to execute respective steps included in the flow charts shownby FIG. 4 to FIG. 7 .

Moreover, the in-vehicle network 100 is a network system based on theCAN protocol in the foregoing embodiment. The CAN protocol may beinterpreted broadly as including derivative protocols, such asTime-Triggered CAN and CAN with Flexible Data Rate (CANFD). Furthermore,a network used for communication between ECUs in a vehicle is notlimited to a network according to the CAN protocol, and may be anothernetwork. Examples of a protocol other than CAN used by a network inwhich ECUs transmit and receive communication data include an Ethernet(registered trademark) protocol, a Local Interconnect Network (LIN)protocol, a Media Oriented Systems Transport (MOST (registeredtrademark)) protocol, a FlexRay (registered trademark) protocol, and aBroadR-Reach protocol.

Moreover, each ECU in the foregoing embodiment is defined as a deviceincluding, for example, a processor, a digital circuit such as memory,an analog circuit, and a communication circuit, but may also include ahard disk, a display, and other hardware elements. Furthermore, thefunctionality of each device described in the foregoing embodiment maybe implemented by dedicated hardware (e.g., a digital circuit) insteadof software causing a processor to execute a program recorded on memory.

Moreover, in-vehicle network 100 is a network system installed invehicle 1 in the foregoing embodiment, but may be installed in a mobilebody other than a vehicle such as construction equipment, farmequipment, a ship, a train, and an airplane.

Moreover, a part or all of the elements in each of the devices accordingto the foregoing embodiment may be implemented into a single Large ScaleIntegration (LSI). The system LSI is a super multi-function LSI that isa single chip into which a plurality of elements are integrated. Morespecifically, the system LSI is a computer system including amicroprocessor, a ROM, a RAM, and the like. The RAM stores a computerprogram. The microprocessor operates according to the computer program,thereby causing each of the elements to execute the function.Furthermore, each of the elements included in each of theabove-described devices may be integrated separately, or a part or allof them may be integrated into a single chip. The system LSI isdescribed here, but the integrated circuit may also be referred to as anintegrated circuit (IC), a system LSI circuit, a super LSI circuit or anultra LSI circuit depending on the degree of integration. Moreover, thecircuit integration technique is not limited to LSI, and may be realizedby a dedicated circuit or a general purpose processor. Aftermanufacturing of the LSI circuit, a field programmable gate array (FPGA)or a reconfigurable processor which is reconfigurable in connection orsettings of circuit cells inside the LSI circuit may be used. Further,when development of a semiconductor technology or another derivedtechnology provides a circuit integration technology which replaces LSI,as a matter of course, functional blocks may be integrated by using thistechnology. Adaption of biotechnology, for example, is a possibility.

Moreover, a part or all of the elements included in each of theabove-described devices may be implemented into an Integrated Circuit(IC) card or a single module which is attachable to and removable fromthe device. The IC card or the module is a computer system including amicroprocessor, a ROM, a RAM, and the like. The IC card or the modulemay include the above-described super multi-function LSI. Themicroprocessor operates according to the computer program to cause theIC card or the module to execute its functions. The IC card or themodule may have tamper resistance.

Moreover, one aspect of the present disclosure may be an electroniccontrol method including, for example, part or all of the proceduresshown by FIG. 4 to FIG. 7 . Furthermore, one aspect of the presentdisclosure may be a program for allowing a computer (a computer program)to perform the process according to the electronic control method, ormay be digital signals made up of the program.

Moreover, one aspect of the present disclosure may be the computerprogram or the digital signals recorded on a computer-readable recordingmedium, such as a flexible disk, a hard disk, a CD-ROM, an MO, a DVD,DVD-ROM, DVD-RAM, Blue-ray (registered trademark) disc (BD), and asemiconductor memory. In addition, one aspect of the present disclosuremay be the digital signals recorded on these recording media.

Moreover, one aspect of the present disclosure may be the program or thedigital signals transmitted via a telecommunication line, a wireless orwired communication line, a network represented by the Internet, a databroadcast, and so on. Furthermore, one aspect of the present disclosuremay be a computer system including a microprocessor and memory, in whichthe memory stores the program and the microprocessor operates accordingto the program. In addition, the program or the digital signals may beperformed by another independent computer system by transmitting theprogram or the digital signals recorded on the recording medium, or bytransmitting the program or the digital signals via the network etc.

The scope of the present disclosure encompasses forms obtained bycombining any of the elements and functions described in the foregoingembodiment and the variations. While various embodiments have beendescribed herein above, it is to be appreciated that various changes inform and detail may be made without departing from the spirit and scopeof the present disclosure as presently or hereafter claimed.

INDUSTRIAL APPLICABILITY

The present disclosure makes it possible to more accurately determine anevent that has occurred in a network, and is applicable to, for example,a network in which control according to a CAN protocol is performed.

The invention claimed is:
 1. An electronic control unit, comprising: aprocessor; and a memory which stores an instruction, wherein when theprocessor executes the instruction stored in the memory, the processoroperates as: a receiver that receives first messages transmitted from afirst device included in a network installed in a mobile body; and adeterminer that, when a first message among the first messages receivedby the receiver is determined to have an anomaly, determines whether acause of the anomaly is an attack on the network, and outputs a resultof the determination, wherein when the determiner determines that thecause of the anomaly is not the attack, the determiner further outputsinformation indicating a possibility of a breakdown of the first device,wherein when the determiner determines that the cause of the anomaly isthe attack, the determiner further identifies a type of the attack, andwherein when the determiner determines that a second message has beentransmitted to the network when the mobile body is moving, thedeterminer identifies, as the type of the attack, a replacement attackthat replaces a normal message with an anomalous message, the secondmessage being transmitted from outside the mobile body to the networkwhen the mobile body is not moving.
 2. The electronic control unitaccording to claim 1, wherein the determiner determines whether a firstdata amount of the first messages transmitted per unit of time hasincreased from a second data amount of normal first messages transmittedper unit of time, and when the determiner determines that the first dataamount has increased from the second data amount, the determinerdetermines that the cause of the anomaly is the attack.
 3. Theelectronic control unit according to claim 1, wherein the determinerdetermines whether the first messages include an anomalous first messageand a normal first message, and when the determiner determines that thefirst messages include the anomalous first message and the normal firstmessage, the determiner determines that the cause of the anomaly is theattack.
 4. The electronic control unit according to claim 1, wherein thedeterminer determines whether a second message that is determined tohave an anomaly has been transmitted from a second device included inthe network in a same time period with the first message determined tohave the anomaly, and when the determiner determines that the secondmessage has been transmitted, the determiner determines that a cause ofthe anomaly is the attack, the second message being related to the firstmessage determined to have the anomaly.
 5. The electronic control unitaccording to claim 1, wherein the determiner determines whether a thirdmessage has been transmitted to the network when the mobile body ismoving, and when the determiner determines that the third message hasbeen transmitted, the determiner determines that the cause of theanomaly is the attack, the third message being transmitted from outsidethe mobile body to the network when the mobile body is not moving. 6.The electronic control unit according to claim 1, wherein the determinerdetermines whether the first message determined to have the anomaly hasbeen transmitted when transmission of a first message is stopped by adiagnostic packet, and when the determiner determines that the firstmessage determined to have the anomaly has been transmitted, thedeterminer determines that the cause of the anomaly is the attack. 7.The electronic control unit according to claim 1, wherein the determinerdetermines whether at least one characteristic that appears due to anattack has appeared in the network within a predetermined time period,and when the determiner determines that the at least one characteristichas appeared, the determiner determines that the cause of the anomaly isthe attack.
 8. The electronic control unit according to claim 1, whereinwhen the determiner determines that a first data amount of the firstmessages transmitted per unit of time has increased from a second dataamount of normal first messages transmitted per unit of time, thedeterminer identifies, as the type of the attack, an additional attackthat adds an anomalous message to a normal message.
 9. The electroniccontrol unit according to claim 1, wherein when the determinerdetermines that the first messages include an anomalous first messageand a normal first message, the determiner identifies, as the type ofthe attack, an additional attack that adds an anomalous message to anormal message.
 10. The electronic control unit according to claim 1,wherein when the determiner determines that a first message determinedto have the anomaly has been transmitted when transmission of the firstmessage is stopped by a diagnostic packet, the determiner identifies, asthe type of the attack, a replacement attack that replaces a normalmessage with an anomalous message.
 11. An electronic control system,comprising: an anomaly determining device including a receiver thatreceives messages transmitted from a device included in a networkinstalled in a mobile body, and an anomaly determiner that determineswhether the messages received by the receiver are anomalies; and anattack determining device that, when the anomaly determiner determinesthat a message among the messages received by the receiver has ananomaly, determines whether a cause of the anomaly is an attack on thenetwork, and outputs a result of the determination, wherein when theattack determining device determines that the cause of the anomaly isnot the attack, the attack determining device further outputsinformation indicating a possibility of a breakdown of the deviceincluded in the network, wherein when the determiner determines that thecause of the anomaly is the attack, the determiner further identifies atype of the attack, and wherein when the determiner determines that asecond message has been transmitted to the network when the mobile bodyis moving, the determiner identifies, as the type of the attack, areplacement attack that replaces a normal message with an anomalousmessage, the second message being transmitted from outside the mobilebody to the network when the mobile body is not moving.